AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : notes_ansible_map_select_reject notes_lazarus architecture_et_code_-_bonnes_pratiques_-_design_pattern gpg_-_plan notes_supervision_check_mk cloud_-_packer.io notes_socat notes_lxde pb_de_taille_clonezilla notes_pki_java_pk12_pk12util_certutil_libnss3-tools
tech:notes_pki_java_pk12_pk12util_certutil_libnss3-tools

Table des matières

PKI Java pk12 pk12util certutil libnss3-tools NSS

Voir :

Voir aussi :

  • PKICertImport

NSS 

Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSL v2 and v3,
TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and
other security standards. For detailed information on standards supported, see

http://www.mozilla.org/projects/security/pki/nss/overview.html.

https://curl.haxx.se/docs/sslcerts.html 

If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.so, which enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install p11-kit-nss-trust which makes NSS use the system wide CA certificate store. NSS also has a new database format.

Starting with version 7.19.7, libcurl automatically adds the 'sql:' prefix to the certdb directory (either the hardcoded default /etc/pki/nssdb or the directory configured with SSL_DIR environment variable). To check which certdb format your distribution provides, examine the default certdb location: /etc/pki/nssdb; the new certdb format can be identified by the filenames cert9.db, key4.db, pkcs11.txt; filenames of older versions are cert8.db, key3.db, secmod.db.

Test CA 

openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs

Install NSS 

sudo apt-get update
 
# Obsolète
#sudo apt-get install -y p11-kit libnss3
#sudo apt-get install p11-kit-modules
 
#Install de certutil
sudo apt-get install libnss3-tools

Conversion des certs au format p12 

openssl pkcs12 -export -inkey your_private_key.key  -in result.pem -name my_name -out final_result.p12
openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.cer -certfile your_chain.pem -out final_result.p12

Création de la NSS DB 

mkdir -p ~/.pki/nssdb
chmod 700 ~/.pki/nssdb
certutil -N -d $HOME/.pki/nssdb --empty-password

Import du certificat p12 dans la NSS DB 

pk12util -i server.p12 -d $HOME/.pki/nssdb -n Test

Vérif lister les certificats 

certutil -L -d sql:$HOME/.pki/nssdb
 
certutil -L -d sql:. -a -n "Amazon" | openssl x509 -text -noout

import each as trusted proxy 

# list of hosts to get certificates from
hosts="ip-of-squid-proxy1:443 ip-of-squid-proxy2:443"
 
for host in ${hosts}; do
  openssl s_client -connect ${host} -prexit </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > "${host}.crt"
  certutil -d sql:$HOME/.pki/nssdb -A  -t P,P,P -n "${host}" -i ${host}.crt
  rm ${host}.crt
done

source : https://gist.github.com/seanorama/b453524b8f24dcb625a901bc4d503a86

Autre - Importer un crt 

certutil -A -n "Test" -t ",," -i plop.fr.crt -d .
 
# CA
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n GoAgent -i ~/programs/goagent/local/CA.crt

NSS DB PATH - pour curl 

export SSL_DIR=$HOME/.pki/nssdb

Compil curl 

./configure --with-ssl --without-nss

Aide 

certutil -H
pk12util -H

keytool 

echo "### remove old keystore"
rm -f solrtest.keystore
 
echo "### create keystore and keys"
keytool -keystore solrtest.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=localhost, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=ip:127.0.0.1" -validity 999999

Voir : 

apt-get install libnss3-tools

By default, certutil / pk12util searches for databases named cert8.db and key3.db, but some of the versions of Web Server use alternate names such as https-instance-hostname-cert8.db and https-instance-hostname-key3.db in that case add “-P https-instance-hostname-” parameter for the prefix. 

certutil -L -d certdir
 
#pkcs12util -o exportedcertfilename -d . -n Server-Cert
#pkcs12util -i exportedcertfilename -d . -h "Sun Metaslot"
pk12util -o exportcert -n Server-Cert_xx -d .

pk12util

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_pk12util

Import keys and certificates from a PKCS#12 file into a security database.

https://wts.uwo.ca/pki/resources/pk12util.html 

pk12util -d . -i /tmp/dropz.its.uwo.ca.p12
#pk12util -d . -P slapd- -i /tmp/auth.uwotest.ca.p12

Exemple certutil

Exemple 

mkdir $HOME/.pki/
certutil -N -d sql:$HOME/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb -L
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,C" -n "CA Root" -i /etc/pki/ca-trust/source/anchors/RootCA.crt
env SSL_DIR=$HOME/.pki/nssdb curl https://nok.acme.fr

Autres

mkdir -p $HOME/.pki/nssdb && chmod -R 0700 $HOME/.pki && certutil -d sql:$HOME/.pki/nssdb -N --empty-password
tech/notes_pki_java_pk12_pk12util_certutil_libnss3-tools.txt · Dernière modification : de Jean-Baptiste
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki